2013 was the year of Edward Snowden, the NSA Contractor who revealed the extent of access by US and European intelligence agencies to personal data held by major internet and telecommunications companies. The revelations provoked a long-overdue debate on the proper balance in a democratic society between the protection of personal data and the obligation on governments to take measures against those who would use these services to further criminal objectives.

In last year's annual report, I referred to the increased pressure on the resources of our Office. I noted that this pressure was likely to increase under the "one-stop-shop" arrangement being proposed at EU level for oversight of multinational companies. The Government has responded by providing additional staffing and funding. We are therefore well-placed to discharge the additional responsibilities that arise for our Office from the increasing number of information-rich multinational companies that are choosing Ireland as a base from which to provide services on an EU-wide.

We are now seeing a definite shift in the nature and type of complaints received by the Office from the traditional complaint related to inappropriate or unfair use of personal data to a clearer technology focus with individuals concerned about the security of their personal data and the uses made of that data by software and technology applications. Last year for the first time the number of data breach notifications outstripped the number of complaints opened for investigation (by six). The need to deal with the reality of the potential impact on individual privacy and data protection rights which can be caused by poorly thought out technology is in many respects the back-drop to the European Commission's proposals for a new uniform Data Protection Regulation that will apply across all EU Member States.

2010 was a year of continuity, change and anticipated change. We continued to use the full “tool-kit” provided to us by law. This permitted us to deal with legitimate complaints from individuals about denial of their data protection rights.

2009 was a year of change - both actual and promised - in the legal framework governing data protection. The Lisbon Treaty embedded data protection as a fundamental right of European Union citizens. It provided the basis for an extension of data protection rights into all areas of EU activity. It gave new authority to the European Parliament as co-legislator in this area.

Twentieth Annual Report of the Data Protection Commissioner 20082008 was the year of data security. Lapses in both the public and private sectors led to significant losses of personal data. Some of these losses were reported in the media. There was heightened concern about the general quality of data security in this country.The question was increasingly asked: can we trust organisations to guard the personal data that we provide to them?
[First published on 13 May 2009]

Nineteenth Annual Report of the Data Protection Commissioner 2007Some key points in the Annual Report include: Privacy and the public sector – a need for balance between the demands of security and efficiency in the public sector, on the one hand, and the individual's right to privacy on the other; The responsibilities of private sector organisations in regard to the personal data of their customers and clients; The increasing level of awareness of the rights given to individuals by the Data Protection Acts.
[First published on 8 May 2008]

Eighteenth Annual Report of the Data Protection Commissioner 2006The need to find a balance between the demands of security, crime prevention and legitimate commercial interests, on the one hand, and the individual's right to privacy, on the other were increasingly on the data protection agenda in 2006 whether in a domestic or international context. This need to find the appropriate balance formed a backdrop to the work of the Office of the Data Protection Commissioner during 2006.NOTE: Case Study 14 as published was subsequently amended. Correct Case Study is available off the navigation bar on the left-hand side under Case Studies - 2006 - Case Study 14.[First published on 15 May 2007]

Seventeenth Annual Report of the Data Protection Commissioner 2005During the course of 2005 a number of complaints were made to my office about the publication of material relating to the private life of individuals. Although the media can avail of exemptions under the Data Protection Acts 1988 & 2003 designed to permit them to conduct their legitimate business, any reliance on the publication being in the public interest must be balanced with an individual's right to privacy.
[First published on 11 April 2006]

Sixteenth Annual Report of the Data Protection Commissioner 2004In presenting this sixteenth annual report - my fifth - outlining the activities of the Office of the Data Protection Commissioner for 2004, I feel it is an opportune moment to outline to the Oireachtas my general reflections on where data protection stands in the early part of the 21st century.[First published on 19 April 2005]

Fifteenth Annual Report of the Data Protection Commissioner 2003The Office of the Data Protection Commissioner has a wide range of responsibilities associated with the supervision of the Data Protection Acts 1988 and 2003. In general terms, data protection places obligations on those holding information about people - data controllers - and gives everyone the right to find out what information is being kept about themselves. This means that my Office carries out two main functions.[First published on 22 April 2004]

Fourteenth Annual Report of the Data Protection Commissioner 2002I am pleased to present the fourteenth Annual Report in relation to the work of the Office of the Data Protection Commissioner since it was established in 1989. It outlines the activities of my Office during 2002. In the current information era the concepts of privacy and data protection are on occasions put forward as a barrier to progress. On the contrary I feel strongly that for the information society to succeed it is vital that good data protection practices are in place.
[First published on 17 April 2003]

Thirteenth Annual Report of the Data Protection Commissioner 2001The Office of the Data Protection Commissioner is engaged in a diverse range of activities, both domestically and at international level. This section gives a comprehensive overview of the activities of my Office in 2001, with some emphasis upon a number of areas which I consider to be of particular interest.
[First published on 01 May 2002]

Twelfth Annual Report of the Data Protection Commissioner 2000I am pleased to present this twelfth Annual Report in relation to the work of the Office of the Data Protection Commissioner since it was established in 1989. I was appointed Data Protection Commissioner in September 2000 and accordingly this annual report for 2000 also refers to matters considered by my predecessor, Mr Fergus Glavey, whose seven year term as Commissioner then concluded. I am happy to record that the work undertaken both by Mr Glavey and the first Commissioner, Mr Donal Lenihan, has enabled this office to work in a co-operative and effective manner and I intend to carry on that tradition.
[First published on 01 August 2001]

Eleventh Annual Report of the Data Protection Commissioner 1999Data protection law and practice are all about securing respect for the individual's right to private life. The right to private life has long been recognised in human rights charters such as the Universal Declaration of Human Rights of 1948 and the European Convention on Human Rights and Fundamental Freedoms, 1953. European data protection authorities are acutely conscious of the human rights origins of data protection, as can be seen from their comments in Appendix 5 on the recently mooted charter of fundamental rights in the European Union: "Inclusion of data protection among the fundamental rights of Europe would make such protection a legal requirement throughout the Union and reflect its increasing importance in the information society."[First published on 01 August 2000]

Tenth Annual Report of the Data Protection Commissioner 1998Ireland is now very much in the information age. The Data Protection Act, 1988 can rightly be seen as one part of the infrastructure needed to underpin the new 'information society' which is characterised by instant processing of the information flows needed for access to, and delivery of, private and public services. To the extent that people are being asked, and indeed required, to provide personal information in these contexts, it is reasonable that safeguards be put in place to uphold the individual's right to privacy and to control over their personal details, and it is precisely this protection that the Act provides.
[First published on 01 October 1999]

Ninth Annual Report of the Data Protection Commissioner 1997The Data Protection Act, 1988 is now in its tenth year and while in my view it has served its purpose well the time is clearly opportune to reiterate the respect for privacy as a fundamental human right which is implicit in the 1988 Act while providing for the application of information technology in ways which were never foreseen at the time. In this context the Government's commitment to introduce amending legislation to transpose EU Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data is to be welcomed.
[First published on 01 November 1998]